FIRST THING TO DO: If your computer has ransomware, then isolate the computer from all other devices and the network/internet. Do NOT turn off your computer, and do NOT use your computer to create, edit, or save information. That can change the status of current data. You need things to stay as they are. Call your IT Department if you have one. Most of the information on here is for a Windows computer. There are detailed instructions below. It is advisable to hire a professional private investigator to recover your computer files.

One of the most insidious cyber threats today is Ransomware. A reviewed article cited that DOJ reported 4,000 such attacks in the first eight months of 2016. The FBI recommends that you not pay a ransom since it only encourages more criminal activity when someone pays. Ransomware is the situation when an unexpected message pops up on your screen telling you that your data has been taken hostage in some way. The message will go on that if you pay thousands of dollars then they will furnish you a way to get your information back. What a nightmare.

Evil doers can hold or threaten your information in several ways. They can encrypt your data and force you to purchase the encryption key. That is a bad version. They can lock your screen. That is easier to overcome. They can overwrite your Master Boot Record, which can be overcome. Finally, they may simply pretend they have control and try to frighten you to do what they want. They may even pretend to be the FBI or IRS. That is nothing to be concerned about.

How to determine your status? If you can browse through your computer folders, but you cannot open actual files, then your data has been encrypted. That is bad. If you cannot move off the warning screen, then it is likely a screen-locker. That can be easily defeated. If you are able to freely access everything on your computer then you are likely the victim of a hoax threat and they hope to scare you into paying. In that case, you are in no danger. You can simply close the web page. In some cases you may have to use the Task Manager to close the page as it may be forced to stay open, but that is no big deal.

Paying a hostage ransom is not advised. First, there is no guarantee that your information will be released after you pay. Secondly, it encourages additional attacks on you and others. However, just know that generally, if you have something that is truly necessary to get back because you were unprepared, a lot of people have found that for a mere $300 ransom they could get their information back. So, even if you feel that you MUST pay, keep it a low amount, and never leave your information so vulnerable again. We recommend that you never pay. Rebuild the information again no matter how much work it takes, and do not encourage criminal activity.

So, what can you do? Well, first off, in preparation you should keep daily backups of everything important. Then, if you get attacked you can erase/wipe the computer and reload everything back onto it. That is a lot of trouble, but at least you are not rewarding criminals and you have not been made a victim.

If you use old software then turn off macros except for when you need them. They can be exploited, especially as attachments to email. The best thing is to upgrade to modern software. Microsoft uses “Protected View” to protect you from macros that automatically engage and allow a virus to unleash. That allows you to safely look at an email attachment sent to you before allowing it to be active, like an Excel spreadsheet or Word document. If you do not recognize it then do not fully open or save it. Also, software can be installed called a “Sandbox” which isolates email attachments until they can be reviewed.

STEP 1. If it appears to be an encryption attack, then immediately disconnect the computer from the network, other computers, and any external devices such as drives. At that point you have isolated the problem, assuming that it has not already been passed to other devices.

STEP 2. Make a record of the ransom note with a photograph. You can take a screenshot, but you risk saving it over data that you may want to recover. Making sure that date and time information are always correct on your devices keeps them ready for emergency situations like this. The images will be used as photographic evidence which can be turned over to the FBI and police.

STEP 3. Contact the FBI at www.ic3.gov and your local police department. Report the crime with as much detail as you can, including information about your system, your operating software, your access points to the internet, the circumstances of discovering the message, an account of what you last remember doing before the ransom message, and your ransom message photographs.

STEP 4. Consider calling a professional private investigator at this point. Below is additional information but you proceed at your own risk.

STEP 5. Use anti-virus or malware software to remove the ransomware. You may have to put the computer into Safe Mode. To do so, reboot the computer and hold down the “S” key on the keyboard while it is rebooting. Removing the ransomware will not decrypt your files, but it will stop additional damage from continuing. It will also kill your opportunity to pay the ransom later. So, be sure that is the route you want to take before you do it.

STEP 6. Recover deleted files. It is a common method to encrypt files by making a copy of each file, encrypting the copy, saving it with the original file name and deleting the original file. In that case, there will likely be deleted versions of the files which can be restored. That is why you do not want to continue working on the computer even if you have control of it. Doing so could overwrite that deleted data, making it nonrecoverable. There is software available to recover deleted files, but make inquiries as to whether loading it may overwrite some of the files you wish to recover. That’s another reason to call a professional. If they have overwritten the Master Boot Record, then see Step #14.

STEP 7. Attempt to identify the ransomware through an online service such as ID Ransomeware or Crypto Sheriff. You can upload one of your files and they can often tell you whether the encryption can be reversed.

STEP 8. If the ransomware could be identified then try the website “No More Ransom” to find a decryptor, or many other online sources, including antivirus software companies. Often the files cannot be decrypted.

STEP 9. If you have backups of your files, then that is your best resource, once the virus software has been removed. First, you need to check those backup files and make sure that they too have not been infected, preferably using a different computer. That is also why it is a good idea to have a backup of the backup once in a while, like once per month or so. That gives you a point far back in time to restore even if your regular backup has been recently compromised in addition to your computer. Do not use the backup yet.

STEP 10. Wipe the computer hard drive completely, and do a clean installation of your operating software, like Windows. If you simply restore your files, there is a chance that some of the ransomware could remain on the computer and cause issues. Install all of your software programs and get the computer reset up.

STEP 11. Restore your backed up files back onto your computer. Everything here is a time consuming process, but it is the best hope of recovery.

STEP 12. I am loathe to even list this step. If there is some reason that you feel that you must deal with the criminals then negotiate for a better deal. They expect you to do so and they expect to collect less. However, again, realize that they may take your money and leave your computer data locked up. It is a gamble. OR…

STEP 13. You can just Start Over. Forget about the lost data, wipe the hard drive clean, and reinstall your operating software. This can be done with no loss if you maintain your data in multiple locations. It is advisable to not only backup your data, but to keep actual working copies on other drives which are not usually connected to your computer except to copy the files for this purpose. If you have a lot of data it may take several hours for your computer to copy information over to an external hard drive, but you can continue to work while it does that if your data use is not high, like drafting documents.

STEP 1. Immediately disconnect the computer from the network, other computers, and any external devices such as drives. At that point you have isolated the problem, assuming that it has not already been passed to other devices.

STEP 2. Make a record of the ransom note with a photograph, and if possible, a screenshot. That’s a good reason to make sure that date and time are always correct on your devices. The images will be used as photographic evidence which can be turned over to the FBI and police.

STEP 3. Contact the FBI at www.ic3.gov and your local police department. Report the crime with as much detail as you can, including information about your system, your operating software, your access points to the internet, the circumstances of discovering the message, an account of what you last remember doing before the ransom message, and your ransom message photographs.

STEP 4. Put the computer into Safe Mode. To do so, reboot the computer and hold down the “S” key on the keyboard while it is rebooting. Access your antivirus or malware software and attempt to remove the ransomware.

STEP 5. If Step 4 did not work, then for a Windows computer use System Restore to load an older state of the computer system. If that does not work, then take it to a computer repair shop. They can likely get it back in working order for you.